AWS RDS Master User Password Reset Detection
Detection of unauthorized master user password resets for Amazon RDS DB instances via AWS CloudTrail logs, potentially leading to sensitive data access and data breaches.
This analytic detects the resetting of the master user password for an Amazon RDS DB instance. The detection leverages AWS CloudTrail logs ingested via Amazon Security Lake to identify events where the ModifyDBInstance or ModifyDBCluster API calls include a new masterUserPassword parameter. This activity is significant because unauthorized password resets can grant attackers access to sensitive data stored in production databases, which may contain sensitive information such as credit card numbers, PII, or protected health information. If the password reset is confirmed to be malicious, it could lead to data breaches, regulatory non-compliance, and significant reputational damage. This detection is based on version 8 of the Splunk Security Content analytic "ASL AWS Credential Access RDS Password reset" published on April 15, 2026.
Attack Chain
- An attacker gains initial access to an AWS account, potentially through compromised credentials (T1110) or phishing (T1586.003).
- The attacker leverages the AWS Management Console or AWS CLI to interact with the RDS service.
- The attacker issues a
ModifyDBInstanceorModifyDBClusterAPI call. - Within the
ModifyDBInstanceorModifyDBClusterAPI call, the attacker includes themasterUserPasswordparameter. - The RDS service processes the request and resets the master user password for the specified database instance or cluster.
- The attacker uses the newly reset master user password to authenticate to the RDS database instance.
- The attacker gains access to sensitive data stored within the RDS database.
- The attacker exfiltrates or manipulates the data for malicious purposes.
Impact
A successful attack resulting in unauthorized password reset can lead to a complete compromise of the RDS database instance. This could result in data breaches with millions of records exposed, regulatory fines for non-compliance (e.g., GDPR, HIPAA), and severe reputational damage affecting customer trust and stock prices. Sectors heavily reliant on RDS databases, such as finance, healthcare, and e-commerce, are particularly vulnerable.
Recommendation
- Deploy the Sigma rule
AWS RDS Master User Password Resetto your SIEM and tune for your environment using AWS CloudTrail logs ingested via Amazon Security Lake. - Investigate any detected instances of
ModifyDBInstanceorModifyDBClusterAPI calls containing themasterUserPasswordparameter by pivoting to the originating IP address (src_endpoint.ip) and user agent (http_request.user_agent) from the Sigma rule. - Implement multi-factor authentication (MFA) for all AWS accounts, especially those with permissions to manage RDS instances, to mitigate compromised credential attacks (T1110).
- Review and enforce the principle of least privilege for IAM roles, ensuring that users only have the necessary permissions to perform their job functions.
- Monitor AWS CloudTrail logs for other suspicious API calls related to RDS, such as modifications to security groups or network ACLs.
Detection coverage 2
AWS RDS Master User Password Reset
highDetects when the master user password for an Amazon RDS DB instance is reset via the AWS API. This may indicate credential compromise or other unauthorized activity.
AWS RDS DBCluster Master User Password Reset
highDetects when the master user password for an Amazon RDS DBCluster is reset via the AWS API. This may indicate credential compromise or other unauthorized activity.
Detection queries are available on the platform. Get full rules →